Peer-To-Peer Network Routing Based on Network Device Security Capabilities

At least one embodiment pertains to systems and methods for establishing secure connections through a network in a peer-to-peer manner.

Current networking devices can compute an optimal path through a network (e.g., through multiple network devices) based on certain characteristics of the networking devices, such as available bandwidth, latency, distance (e.g., number of hops, geographic distance, etc.), and the like. In some cases, optimal can mean that the path satisfies traffic engineering objectives, customer service-level agreements, and/or other business and/or networking objectives. After establishing a route for particular packets to follow from point A to point B, encryption (e.g., MACsec, IPsec, etc.) can be added to the route.

After establishing a route through a network, encryption (e.g., MACsec, IPsec, etc.) can be added to the route. If one or more of the network devices along the route do not support the desired security characteristics (e.g., encryption method, cryptographic capabilities, etc.), a new route will need to be calculated and encryption will be attempted again. This can increase the time and effort required to configure paths through a network that meet certain security criteria.

Aspects and embodiments of the present disclosure address these and other technological challenges by providing for systems and techniques that allow for sharing security capabilities of a network device with other devices of the network to facilitate establishing routes through the network that meet certain security criteria. For example, an entity may wish to establish a connection (e.g., a network route) between point A (e.g., a datacenter in San Francisco) and point B (e.g., a datacenter in New York) through a network (e.g., the Internet). The entity may not be interested in the specific path travelled through the network so long as specified criteria are met. For example, the entity may desire the route through the network support at least 100 Gb of bandwidth (e.g., a network performance characteristic) and AES encryption at each network device along the path (e.g., a security network routing characteristic unique to this disclosure).

To determine which network devices of the network can be included in the route, each network device may determine its own security characteristics (e.g., which interface-level encryption capabilities are supported, which cipher suites are supported, which AES modes are supported, which characteristics of IPsec and/or MACsec are supported, whether one or more proprietary data plane encryption technologies (e.g., VXLANsec) are supported, etc.). Each network device may transmit a representation of its security characteristics to one or more other network devices (e.g., peer network devices, a network controller, etc.). The network performance characteristics (e.g., latency, bandwidth, etc.) (or a representation thereof) may also be transmitted to one or more network devices. Once each network device knows the network performance routing characteristics and the security network routing characteristics of the other network devices of the network (or once a central network controller knows the network performance routing characteristics and the security network routing characteristics of the network devices of the network), a network route may be determined that satisfies the routing criteria (e.g., using modified versions of network performance routing algorithms that additionally consider the security network routing characteristics of each network device). Each network device may update its local routing table according to the determined network route.

In some implementations, network routes may be determined (or updated/modified) based on past security performance of a network device. For example, in addition to transmitting to other network devices the determined security network routing characteristics of a network device, a network device may transmit metrics that can identify a “health” (e.g., security health) of the network device. The metrics may indicate a percentage of how many network packets were successfully encrypted/decrypted by the network device within a predetermined timeframe, how often the network device rotated encryption keys, how long it takes the network device to rotate encryption keys, and the like. A network route may be modified if one of the metrics fails to satisfy a predetermined criterion. For example, a network route may avoid a particular network device if it successfully encrypted/decrypted less than 90% (or 95%, 99%, 80%, etc.) of network packets received in the last hour (or day, 30 minutes, 15 minutes, week, etc.).

According to some aspects of the disclosure, the network devices of the network communicate with one another directly (e.g., peer-to-peer) and can update their own routing tables based on information (e.g., security capabilities, security metrics, etc.) received from peer network devices. According to other aspects of the disclosure, each network device communicates their security capabilities and security metrics to a central network controller. The network controller can generate routing tables for each network device based on the security capabilities and security metrics of each network device of the network (e.g., controller-based network routing). For example, the routing table can reflect the security capabilities and/or security metrics of one or more network devices. The network controller can transmit the routing table for each network device to the respective network device, which can route data packets through the network in accordance with the received routing table.

The advantages of the disclosed techniques include but are not limited to an improved security posture of networks that implement the disclosed techniques. The advantages of the disclosed techniques can also include improved robustness of network traffic engineering of networks that implement the disclosed techniques.

illustrates an example systemfor secured routing through a network, in accordance with at least some embodiments. Systemcan include one or more network devices-and network controllerconnected to network. Networkcan be a public network (e.g., the Internet), a private network (e.g., a local area network (LAN), or wide area network (WAN)), a wireless network, a personal area network (PAN), another network type, and/or a combination thereof. Networkcan be a service provider network or a data center network. Networkcan be a pure internet protocol (IP) routed network, a connection-oriented network (e.g., multiprotocol label switching (MPLS)), and/or an optical transport network (e.g., optical transport network (OTN), dense wavelength-division multiplexing (DWDM)11, etc.).

Network devices-can include security capability subsystems-, security metrics subsystems-, and routing tables-. According to some aspects of the disclosure, network devices-can include routing subsystems-. Network devices-can include physical network devices (e.g., routers, switches, access points, modems, hubs, optical network elements, etc.), virtual network devices (e.g., virtual network interfaces, virtual switches, virtual network adapters, etc.), and/or a combination thereof. In some embodiments, network devices-can be a component of a computing system. For example, network devicemay be a data processing unit (DPU) of a computing system that may be connected to one or more other devices.

Each network device (e.g., network device, network device) can include a security capability subsystem (e.g., security capability subsystem, security capability subsystem) for identifying and reporting the security capabilities of the network device. For example, security capability subsystemcan identify and report the security capabilities of network device

Security capabilities identified by security capability subsystemcan include interface-level encryption capabilities, encryption-technology specific capabilities, secure boot capabilities, cryptographic signature capabilities, software version information, and/or firmware version information. Interface-level encryption capabilities can include information about MACsec, IPsec, VXLANsec, OTNsec, and the like. Encryption-technology specific capabilities can include information about cipher suites supported by the network device, supported advanced encryption standard (AES) modes, whether authenticated encryption (e.g., GCM) is supported, supported authentication algorithms, whether port-level or flow-level MACsec encryption is supported, key rotation capabilities, encryption latencies, and the like. Secure boot capabilities can include information about whether the network device can perform a secure boot (e.g., verifying a software/firmware signature before loading the software/firmware). Cryptographic signature capabilities can include information about whether the network device can perform cryptographic signature verification. Software and/or firmware version information can include information indicating whether particular security patches have been applied to the network device.

Security capability subsystem, after identifying and/or determining the security capabilities of network device, can report (e.g., transmit) the security capabilities (or a representation thereof) to one or more other devices. According to some aspects of the disclosure, security capability subsystemcan transmit the security capabilities to a peer network device (e.g., network device). According to other aspects of the disclosure, security capability subsystemcan transmit the security capabilities to a network controller (e.g., a central device that manages connections and/or routes within a network).

Each network device (e.g., network device, network device) can include a security metrics subsystem (e.g., security metrics subsystem, security metrics subsystem) for identifying and reporting security metrics of the network device. For example, security metrics subsystemcan identify and report security metrics of network device

Security metrics identified by security metrics subsystemcan include indications of past security performance of a network device. For example, the security metrics may indicate a “health” of the network device. The security metrics can indicate a percentage of how many network packets were successfully encrypted/decrypted by the network device within a predetermined timeframe (e.g., 1 minute, 30 minutes, 1 hour, 12 hours, 1 day, etc.), how often the network device rotated encryption keys, how long it takes the network device to rotate encryption keys, and the like.

Security metrics subsystem, after identifying and/or determining the security metrics of network device, can report (e.g., transmit) the security metrics (or a representation thereof) to one or more other devices. According to some aspects of the disclosure, security metrics subsystemcan transmit the security metrics to a peer network device (e.g., network device). According to other aspects of the disclosure, security metrics subsystemcan transmit the security capabilities to a network controller. In some embodiments, the security metrics are transmitted along with the security capabilities of the network device. For example, the security capabilities of the network device may be represented as a sequence of bits with one or more bits representing a different security capability of the network device. The security metrics may be represented as a sequence of bits that is appended to the sequence of bits that represent the security capabilities of the network device. In some embodiments, the security metrics are transmitted separately from the security capabilities of the network device.

According to some aspects of the disclosure, a network device (e.g., network device, network device) can include a routing subsystem (e.g., routing subsystem, routing subsystem) for modifying a routing table of the network device (e.g., routing table, routing table). For example, network devicemay include routing subsystemfor modifying routing table. Routing subsystemcan use one or more routing algorithms for modifying routing table. For example, routing subsystemcan use an interior gateway protocol (e.g., intermediate system to intermediate system (IS-IS), open shortest path first (OSPF), etc.) and/or an exterior gateway protocol (e.g., border gateway protocol (BGP), etc.). Routing subsystemcan add one or more routes to routing tablebased on a combination of network performance routing characteristics (e.g., latency, bandwidth, number of hops, etc.) and security characteristics, such as those transmitted by security capability subsystemsandand security metrics subsystemand. For example, network devicemay be configured to establish a route to another network device (e.g., network device) that supports at least 100 Gb of bandwidth and AES encryption. Based on information network devicehas received from peer network devices and/or network controller, routing subsystemmay add a route to routing tablethat satisfies the 100 Gb bandwidth and AES encryption criteria.

According to some aspects of the disclosure, network devicereceives data related to the capabilities of peer network devices from the peer network devices. According to other aspects of the disclosure, network devicereceives data related to the capabilities of peer network devices from network controller, and routing subsystemcan update routing tablebased on the information received from network controller. According to some aspects of the disclosure, network devicedoes not include routing subsystemand receives routing tabledirectly from network controller. After determining routing table(e.g., via routing subsystem, via network controller, etc.), network devicecan transmit one or more packets via the route(s) included in routing table

A network route can be modified if one of the security metrics of a peer network device fails to satisfy a predetermined criterion. For example, routing tablecan be modified (e.g., by routing subsystem, by network controller) based on security metrics of peer network devices. According to some aspects of the disclosure, the security metrics are received from the peer network device. According to other aspects of the disclosure, the security metrics are received from network controller. As an example, a network route may avoid a particular network device if, as indicated by security metrics of the network device, the network device successfully encrypted/decrypted less than 90% (or 95%, 99%, 80%, etc.) of network packets received in the last hour (or day, 30 minutes, 15 minutes, week, etc.). Routing subsystemcan periodically evaluate whether routing tableneeds to be modified based on security metrics that fail to satisfy a predetermined criterion. In some cases, routing subsystemcan include one or more alternative (e.g., backup, fallback, etc.) routes that satisfy the predetermined criterion in routing table. If routing subsystemdetermines that a particular route fails to satisfy the predetermined criterion, routing subsystemcan start to route traffic over one of the alternative routes included in routing table

According to some aspects of the disclosure, network controllercan determine routing tables for network devices of a network (e.g., network deviceand network deviceof network). Network controllercan include security capability routing subsystemand security metrics routing subsystem. Security capability routing subsystemcan receive security capabilities from one or more network devices. Based on the received security capabilities, security capability routing subsystemcan generate and/or modify a routing table for each network device.

Each routing table may include route(s) between the network devices that satisfy one or more routing configurations (or segment(s) of routing configurations). For example, a routing configuration may define a connection (e.g., a network route) between point A (e.g., a datacenter in San Francisco) and point B (e.g., a datacenter in New York) through a network (e.g., the Internet, network, etc.). The routing configuration can include one or more criteria that the network route should satisfy. For example, the routing configuration may specify that the network route supports at least 100 Gb of bandwidth and AES encryption at each network device along the route. Based on the routing configuration and the received security capabilities of the network devices of the network, network controllercan generate a routing table for each network device such that the route(s) of the routing configuration are established within the network.

Security metrics routing subsystemcan receive security metrics from one or more network devices. Based on the received security metrics, security metrics routing subsystemcan generate and/or modify a routing table for each network device. As an example, routing configuration may include a security metrics criterion that requires that all network devices of the network route successfully encrypted/decrypted at least 90% (or 95%, 99%, 80%, etc.) of network packets received in the last hour (or day, 30 minutes, 15 minutes, week, etc.). If network controllerreceives security metrics of a network device that fail to satisfy the security metrics criteria of a routing configuration, security metrics routing subsystemmay modify routes within routing tables of the network devices to avoid the network device that failed to satisfy the criteria.

After generating and/or modifying routing tables of network devices, network controllercan transmit the routing table corresponding to each network device to the respective network device. Each network device can receive the routing table from network controllerand being to route network data packets according to the received routing table.

According to some aspects of the disclosure, network devices (e.g., network device, network device) can transmit their security capabilities and/or their security metrics to network controller(e.g., instead of to peer network devices). Network controllercan retransmit the security capabilities and/or security metrics of each network device to the other network devices of the network. Each network device can generate and/or modify their routing table based on security capabilities and/or security metrics received from network controller.

illustrates an example networkfor secured network routing, in accordance with at least some embodiments. Networkcan include one or more network devices, such as network device, network device, network device, and network device. Network devices of networkcan be connected via one or more network connections, such as network connectionbetween network deviceand network device, network connectionbetween network deviceand network device, network connectionbetween network deviceand network device, and network connectionbetween network deviceand network device

In some embodiments, network devicecan correspond to network deviceof. For simplicity, only the subsystems and routing table of network deviceare depicted, but it should be understood that network device, network device, and/or network devicecan include similar subsystems and corresponding routing tables.

Network devicecan include security capability subsystemfor determining the security capabilities of network deviceand for transmitting the security capabilities (or a representation thereof) to peer network devices. For example, security capability subsystemcan determine the cipher suites and AES encryption modes supported by network deviceand can transmit a representation of that information to network devicevia network connectionand/or to network devicevia network connection. According to some aspects of the disclosure, security capability subsystemtransmits a representation of the security capabilities of network deviceto all connected peer network devices. According to other aspects of the disclosure, security capability subsystemtransmits a representation of the security capabilities of network deviceto a subset of connected peer network device.

Network devicecan include security metrics subsystemfor calculating security metrics of network deviceand for transmitting the security metrics (or a representation thereof) to peer network devices. For example, security metrics subsystemcan determine a percentage of successful encryptions/decryptions performed by network deviceduring a predetermined timeframe (e.g., 15 minutes, 1 hour, 12 hours, 1 day, 1 week, etc.) and can transmit a representation of that information to network devicevia network connectionand/or to network devicevia network connection. According to some aspects of the disclosure, security metrics subsystemtransmits a representation of the security metrics of network deviceto all connected peer network devices. According to other aspects of the disclosure, security metrics subsystemtransmits a representation of the security metrics of network deviceto a subset of connected peer network device.

According to some aspects of the disclosure, network devicecan receive security capabilities and/or security metrics of a peer network device (or representations thereof) and can forward the data to connected peer network devices. For example, network devicecan receive security capabilities and/or security metrics of network device(or representations thereof) and can forward (e.g., retransmit) them to network device, or vice versa. Thus, network deviceand network devicecan be informed of the security capabilities and/or security metrics of the other network device without being directly connected.

Network devicecan include routing subsystemfor generating routing table. Routing subsystemcan receive security capabilities and/or security metrics (or representations thereof) from peer network devices (e.g., network device, network device, network device) and can add routes to routing tablethat satisfy a network configuration based on the received security capabilities and/or security metrics. For example, a network configuration can have a route between network deviceand network device. The network configuration may require that the route support AES encryption at each network device. If network devicedoes not support AES encryption and network devicedoes support AES encryption, routing subsystemwill add an entry to routing tableindicating that network packets intended for network deviceshould go to network devicevia network connectioninstead of going to network devicevia network connection. The routing table of network devicewould have a corresponding entry indicating that network packets from network devicevia network connectionintended for network deviceshould be sent to network devicevia network connection.

A network configuration can require that each network device along a route between two network devices have security metrics that satisfy a security metrics criterion. For example, a network configuration can require that each network device along the route between network deviceand network devicehave a successful encryption/decryption security metric of at least 90%. At a first time, routing subsystemcan include an entry in routing tablethat indicating that network packets intended for network deviceshould go to network devicevia network connection. At a second time, routing subsystemcan receive updated security metrics for network deviceand for network device. If the successful encryption/decryption security metric of network devicehas fallen below 90% and the security metric of network deviceis greater than or equal to 90%, routing subsystemof network devicecan modify routing tableto include an entry indicating that network packets intended for network deviceshould now go to network devicevia network connectioninstead of going to network device. Upon receiving a network packet for network device, network devicecan send the network packet to network devicevia network connection, in accordance with modified routing table.

A route through networkcan pass through one or more network devices and can include one or more network connections. In some embodiments, two network devices in networkcan be connected via more than one route. For example, network devicecan connect to network devicevia network connectionand network connectionor via network connectionand network connection. Based on the security capabilities and/or security metrics of network deviceand network device, network devicemay use a different route to connect to network device

illustrates an example networkfor secured network routing, in accordance with at least some embodiments. Networkcan include one or more network devices, such as network device, network device, network device, and network device, and a network controller, such as network controller. Network controllercan include a software defined network (SDN) controller and/or a network management system (NMS).

Network devices of networkcan be connected via one or more network connections, such as network connectionbetween network deviceand network device, network connectionbetween network deviceand network device, network connectionbetween network deviceand network device, and network connectionbetween network deviceand network device

Networkcan also include network controllerfor determining routing tables for network devices of network. In some embodiments, network controllercan be the same as network controllerof. Network devices of networkcan be connected to network controllervia one or more network controller connections, such as network controller connectionand network controller connection. Only two network controller connections are depicted in, but it is to be understood that each network device can have a corresponding network controller connection.

Network devicecan include security capability subsystemfor determining the security capabilities of network deviceand for transmitting the security capabilities (or a representation thereof) to a network controller. For example, security capability subsystemcan determine whether network devicesupports secure boot and can transmit a representation of that information to network controller(e.g., via network controller connection). According to some aspects of the disclosure, security capability subsystemcan transmit a representation of the security capabilities to both a network controller and one or more peer network devices.

Network devicecan include security metrics subsystemfor calculating security metrics of network deviceand for transmitting the security metrics (or a representation thereof) to a network controller. For example, security metrics subsystemcan determine a key-rotation latency of network deviceand can transmit a representation of that information to network controller(e.g., via network controller connection). According to some aspects of the disclosure, security metrics subsystemcan transmit a representation of the security metrics to both a network controller and one or more peer network devices.

According to some aspects of the disclosure, network devicecan include routing subsystemfor generating routing table. Routing subsystemcan receive security capabilities and/or security metrics (or representations thereof) of peer network devices (e.g., network device, network device, network device) from network controllerand can add routes to routing tablethat satisfy a network configuration based on the received security capabilities and/or security metrics. According to other aspects of the disclosure, network devicereceives routing tablefrom network controller(e.g., via network controller connection) instead of generating routing tableitself.

Network controllercan determine routing tables for network devices of network. According to some aspects of the disclosure, network controllerreceives security capabilities and security metrics (or representations thereof) of network devices of network. For example, security capability subsystems (e.g., security capability subsystem) and/or security metrics subsystems (e.g., security metrics subsystem) of the network devices of networkmay transmit their respective security capabilities and/or security metrics (or representations thereof) to network controllervia one or more network controller connections, such as network controller connectionand network controller connection

Network controllercan generate a routing table for each network device of networkbased on the security capabilities and security metrics of the network devices of network. Network controllercan generate routing tables based on the security capabilities and security metrics that satisfy security criteria of a network configuration.

Network controllercan receive periodic security capability and/or security metric updates from network devices. Network controllercan generate modified routing tables based on the updated security capabilities and/or security metrics. The modified routing tables can be provided to the corresponding network devices, which can start to route packets based on the modified routing table. According to some aspects of the disclosure, routing tables for each network device are provided to all network devices. According to some aspects of the disclosure, routing tables for each network device are provided only to the respective network device. According to some aspects of the disclosure, multiple routing tables can be generated for a network device over time. For example, a network device may receive a first routing table at a first time, a second routing table at a second time, a third routing table at a third time, etc.

is a flow diagram of an example methodfor secured network routing, in accordance with at least one embodiment.is a flow diagram of an example methodfor secured network routing, in accordance with at least one embodiment. Methodsand/ormay be performed using one or more processing units or processors (e.g., CPUs, GPUs, accelerators, physics processing units (PPUs), data processing units (DPUs), etc.), which may include (or communicate with) one or more memory devices. According to some aspects of the disclosure, methodsand/ormay be performed using a processing device. According to some aspects of the disclosure, methodsand/ormay be performed using processing units of network deviceand/or network deviceof. According to some aspects of the disclosure, processing units performing any of methodsand/ormay be executing instructions stored on a non-transient computer-readable storage media. According to some aspects of the disclosure, any of methodsand/ormay be performed using multiple processing threads (e.g., CPU threads and/or GPU threads), individual threads executing one or more individual functions, routines, subroutines, or operations of the method. According to some aspects of the disclosure, processing threads implementing any of methodsand/ormay be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms). Alternatively, processing threads implementing any of methodsand/ormay be executed asynchronously with respect to each other. Various operations of methodsand/ormay be performed in a different order compared with the order shown in. Some operations of methodsand/ormay be performed concurrently with other operations. According to some aspects of the disclosure, one or more operations shown inand/ormay not always be performed.

Referring to, at block, processing units executing methodcan receive, at a first network device (e.g., network device, etc.), security capabilities of a second network device (e.g., network device) of a network. The network can include the first network device and the second network device. The security capabilities of the second network device can include interface-level encryption capabilities (e.g., information about MACsec, IPsec, VXLANsec, OTNsec, etc.), encryption-technology specific capabilities (e.g., information about cipher suites supported by the network device, supported advanced encryption standard (AES) modes, whether authenticated encryption (e.g., GCM) is supported, supported authentication algorithms, whether port-level or flow-level MACsec encryption is supported, key rotation capabilities, encryption latencies, etc.), secure boot capabilities (e.g., information about whether the network device can perform a secure boot (e.g., verifying a software/firmware signature before loading the software/firmware)), cryptographic signature capabilities (e.g., information about whether the network device can perform cryptographic signature verification), software version information, and/or firmware version information (e.g., whether particular security patches have been applied to the network device).

At block, processing units can modify a routing table of the first network device (e.g., routing table) based on the security capabilities of the second network device. For example, a routing algorithm (e.g., IS-IS, OSPF, BGP, EGP, etc.) can be used to calculate route(s) through the network based on the security capabilities of the second network device and/or one or more properties of other network devices in the network (if present). Processing units can modify the routing table of the first network device based on the calculated route(s). For example, a first route through the network may exist with the first network device forwarding packets for a destination device to a third network device that does not support one or more security capabilities. Based on the security capabilities of the second network device received at the first network device (e.g., if the second network device supports one or more security capabilities that the third network device does not support), the first route can be updated so the first network device forwards packets for the destination device to the second network device, thus improving the security posture of the network. At block, processing units can transmit a data packet (e.g., to the second network device instead of to the third network device) based on the modified routing table.

According to some aspects of the disclosure, at block, processing units can receive security metrics of the second network device. At block, processing units can determine that the security metrics fail to satisfy a security metrics criterion. At block, processing units can modify the routing table of the first network device based on the security metrics. For example, a second route through the network may exist with the first network device forwarding packets for a second destination device to the second network device, which supports one or more security capabilities. The first network device can receive security metrics of the second network device, which may, for example, indicate the percentage of network packets that have been successfully encrypted/decrypted within a predetermined timeframe. If the security metrics fail to satisfy a security metrics criterion (e.g., if the percentage of successful encryption/decryptions falls below a predetermined threshold), the routing table of the first network device can be modified to forward network packets for the second destination device to another network device (e.g., a fourth network device, which supports one or more security capabilities and has security metrics that satisfy the security metrics criterion) instead of to the second network device.

Referring to, at block, processing units executing methodcan receive, at a second network device (e.g., network device, etc.), security capabilities of a first network device (e.g., network device) of a network. The network can include the first network device and the second network device. The security capabilities of the first network device can include interface-level encryption capabilities, encryption-technology specific capabilities, secure boot capabilities, cryptographic signature capabilities, software version information, and/or firmware version information.

At block, processing units can modify a routing table of the second network device (e.g., routing table) based on the security capabilities of the first network device. For example, a routing algorithm (e.g., IS-IS, OSPF, BGP, EGP, etc.) can be used to calculate route(s) through the network based on the security capabilities of the first network device and/or one or more properties of other network devices in the network (if present). Processing units can modify the routing table of the second network device based on the calculated route(s). At block, processing units can transmit a data packet based on the modified routing table.

According to some aspects of the disclosure, at block, processing units can receive security metrics of the first network device. At block, processing units can determine that the security metrics fail to satisfy a security metrics criterion. At block, processing units can modify the routing table of the second network device based on the security metrics.

is a flow diagram of an example methodfor secured network routing, in accordance with at least one embodiment.is a flow diagram of an example methodfor secured network routing, in accordance with at least one embodiment. Methodsand/ormay be performed using one or more processing units or processors (e.g., CPUs, GPUs, accelerators, physics processing units (PPUs), data processing units (DPUs), etc.), which may include (or communicate with) one or more memory devices. According to some aspects of the disclosure, methodsand/ormay be performed using a processing device. According to some aspects of the disclosure, methodmay be performed using processing units of network controllerof, and methodmay be performed using processing units of network deviceand/or network deviceof. According to some aspects of the disclosure, processing units performing any of methodsand/ormay be executing instructions stored on a non-transient computer-readable storage media. According to some aspects of the disclosure, any of methodsand/ormay be performed using multiple processing threads (e.g., CPU threads and/or GPU threads), individual threads executing one or more individual functions, routines, subroutines, or operations of the method. According to some aspects of the disclosure, processing threads implementing any of methodsand/ormay be synchronized (e.g., using semaphores, critical sections, and/or other thread synchronization mechanisms). Alternatively, processing threads implementing any of methodsand/ormay be executed asynchronously with respect to each other. Various operations of methodsand/ormay be performed in a different order compared with the order shown inand/or. Some operations of methodsand/ormay be performed concurrently with other operations. According to some aspects of the disclosure, one or more operations shown inand/ormay not always be performed.

Referring to, at block, processing units executing methodcan receive, at a network controller (e.g., network controller, network controller), first security capabilities of a first network device. The security capabilities of the first network device can include interface-level encryption capabilities, encryption-technology specific capabilities, secure boot capabilities, cryptographic signature capabilities, software version information, and/or firmware version information.